Chapters
36 Chapters
|
3:44:20
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!
Subscribe to download the code!
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=8.1",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "3.1.x-dev", // 3.1.x-dev
"doctrine/annotations": "^2.0", // 2.0.1
"doctrine/doctrine-bundle": "^2.8", // 2.10.2
"doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.4
"doctrine/orm": "^2.14", // 2.16.1
"nelmio/cors-bundle": "^2.2", // 2.3.1
"nesbot/carbon": "^2.64", // 2.69.0
"phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
"phpstan/phpdoc-parser": "^1.15", // 1.23.1
"symfony/asset": "6.3.*", // v6.3.0
"symfony/console": "6.3.*", // v6.3.2
"symfony/dotenv": "6.3.*", // v6.3.0
"symfony/expression-language": "6.3.*", // v6.3.0
"symfony/flex": "^2", // v2.3.3
"symfony/framework-bundle": "6.3.*", // v6.3.2
"symfony/property-access": "6.3.*", // v6.3.2
"symfony/property-info": "6.3.*", // v6.3.0
"symfony/runtime": "6.3.*", // v6.3.2
"symfony/security-bundle": "6.3.*", // v6.3.3
"symfony/serializer": "6.3.*", // v6.3.3
"symfony/stimulus-bundle": "^2.9", // v2.10.0
"symfony/string": "6.3.*", // v6.3.2
"symfony/twig-bundle": "6.3.*", // v6.3.0
"symfony/ux-react": "^2.6", // v2.10.0
"symfony/ux-vue": "^2.7", // v2.10.0
"symfony/validator": "6.3.*", // v6.3.2
"symfony/webpack-encore-bundle": "^2.0", // v2.0.1
"symfony/yaml": "6.3.*", // v6.3.3
"symfonycasts/micro-mapper": "^0.1.0" // v0.1.1
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.4
"mtdowling/jmespath.php": "^2.6", // 2.6.1
"phpunit/phpunit": "^9.5", // 9.6.11
"symfony/browser-kit": "6.3.*", // v6.3.2
"symfony/css-selector": "6.3.*", // v6.3.2
"symfony/debug-bundle": "6.3.*", // v6.3.2
"symfony/maker-bundle": "^1.48", // v1.50.0
"symfony/monolog-bundle": "^3.0", // v3.8.0
"symfony/phpunit-bridge": "^6.2", // v6.3.2
"symfony/stopwatch": "6.3.*", // v6.3.0
"symfony/web-profiler-bundle": "6.3.*", // v6.3.2
"zenstruck/browser": "^1.2", // v1.4.0
"zenstruck/foundry": "^1.26" // v1.35.0
}
}
4 Comments
Hi,
I'm working on an api with a State Provider and Voter, I'm finding that the provider is invoked before the voter. This leads to some odd results, 404 instead of 401. In the API Platform doc's I can see that providers are invoked by ReadListener event, and debugging my projects kernel.request (bin/console debug:event-dispatcher kernel.request) I can see DenyAccessListener is next in the ordering.
Is there a way I invoked my Voter before the State Provider?
Thanks
Hey @Joe-L!
Hmm. Assuming you're talking about a voter used in a context like this:
Then you're totally right... and the problem is that the provider must be invoked first so that the
objectis available to be passed to the voter.You said that you're hitting a 404 instead of a 401? Is that because your provider contains the logic to filter down and only return the correct record(s) based on your security rules? If so, for the item operation, if you need a 401, I would stop doing that, allow the object to be found and then let your voter do its work.
But maybe you have some more complex requirements. Let me know!
Cheers!
Hi Ryan,
I have a provider to retrieve data from an external source (in this case S3), and want to add security to limit who has access to this endpoint.
If a request is made with a bad id and by a user who doesn't meet the requirements in the voter, then a 404 is return. In my opinion this would suggest the user has access but has provided the wrong id. Is there a different solution I should be using when I want to limit the API access regardless of the content in the response? In this case we're potentially making unnecessary requests to our external source, we'd like to mitigate this as much as possible.
Many thanks
Hey @Joe-L!
Sorry for the slow reply - life hit :)
I see - the provider does its job and THEN if successful the voter is called. There's really nothing wrong with adding some security code into the provider itself. If you want to trigger a 403, I think you can just throw an
AccessDeniedExceptionand that'll throw you into the normal 403 flow.Let me know if that helps!
Cheers!
"Houston: no signs of life"
Start the conversation!